I
Immich2y ago
edkedk

Wrong user when behind reverse proxy

Something very strange happens when I am behind a reverse proxy (nginx). I log in to immich using a non-admin user and immich gets connected to the admin account. That doesn't happen if I connect to immich thru the local lan. Any idea on why that happens?
14 Replies
edkedk
edkedkOP2y ago
Can someone point me how immich authenticate the users? Somehow my proxy server is forwarding a wrong information to immich. Is it thru cookie?
ddshd
ddshd2y ago
What’s your proxy config Is it the same on different browsers
edkedk
edkedkOP2y ago
This problems happens in multiple browsers, different computers and different android apps. Since it works fine on LAN, I suspect it is a problem in reverse proxy. See my nginx config below: 
server {
    listen 7443 ssl;
    server_name <my-domain>;

    # https://github.com/immich-app/immich/blob/main/nginx/templates/default.conf.template#L28
    client_max_body_size 50000M;

    location / {
        proxy_pass http://localhost:2283;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Cookie $http_cookie;

        # http://nginx.org/en/docs/http/websocket.html
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_redirect off;
    }
}
server {
    listen 7443 ssl;
    server_name <my-domain>;

    # https://github.com/immich-app/immich/blob/main/nginx/templates/default.conf.template#L28
    client_max_body_size 50000M;

    location / {
        proxy_pass http://localhost:2283;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Cookie $http_cookie;

        # http://nginx.org/en/docs/http/websocket.html
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_redirect off;
    }
}
jrasm91
jrasm912y ago
You probably don't want the set header cookie line in there I'm guessing that is copying the session from the first login request made to the server and putting it on all future requests.
edkedk
edkedkOP2y ago
@jrasm91 , thank for you comment, but this is not the issue because I added that after multiple attempts without this line
jrasm91
jrasm912y ago
Are you restarting Nginx after making changes? The issue you are describing is non-standard behavior so you most likely have something misconfigured. To me the cookie header looks obviously wrong so you should remove and revalidate it either way
edkedk
edkedkOP2y ago
You were right. I could solve it, but I have no idea how. I just started a new nginx config from scratch. Thank you for your help My problem was with caching. I solved it by disabling cache in nginx: 
 # Disable caching for the entire server
 proxy_cache off;
 proxy_cache_valid 0s;
 proxy_no_cache 1;
 proxy_cache_bypass 1;
 # Disable caching for the entire server
 proxy_cache off;
 proxy_cache_valid 0s;
 proxy_no_cache 1;
 proxy_cache_bypass 1;
jrasm91
jrasm912y ago
Interesting... Maybe it was caching the json responses.
ddshd
ddshd2y ago
That’s so weird because the session id should change and it should invalidate the cache
jrasm91
jrasm912y ago
The cookie header should not impact the caching of responses should it? Looks like the default cache key is just the url proxy_cache_key $scheme$proxy_host$request_uri;
ddshd
ddshd2y ago
I guess they assume people using cookies will know to have their proxy invalidate cache properly 🤷🏽‍♂️
jrasm91
jrasm912y ago
You could include it in your cache key.
ddshd
ddshd2y ago
Yeh I mean they assume people using cookies will set their cache keys to properly invalidate it Maybe we can just add the cache key to the nginx config
edkedk
edkedkOP2y ago
I have cache enabled for another web app I use. Somehow this may have affected my immich server block. Maybe it is a good idea to add directives disabling cache in the example to avoid problems in initial setup as I had faced. Then the user who knows what he is doing can disable according to their needs. I can confirm that the moment I disabled cache as in my previous post, immich started to work fine, logging to the correct user.

Did you find this page helpful?